This post shows how to create networks in OpenStack that are backed by physical networks. This is used, for example, for virtual Customer Premises Equipment (vCPE) to provide additional functions between an Internet service provider (ISP) and customer (see Blog 1 of this series, Enabling vCPE with OpenStack* – Get Started). In this case, the LAN and WAN networks are connected to physical networks using provider networks. This starts with configuration on the host.

Figure 1 shows the network we are going to create in this post, using the vCPE as an example use case.

Declare the bridge mappings in the local.conf, if using devstack, or int the appropriate config files if using an alternative deployment method. Here, the virtual networks are called LAN-provider and WAN-provider and will be mapped to the br-LAN and br-WAN bridges respectively. And and/or replace the following lines:

Before building the network, allow ARP spoofing in the neutron agent so that the IP packets can be forwarded by the VNF instances. ARP spoofing is allowed so that frames can be forwarded unmodified by the L2 VNF, and then propagated throughout the network. Specify this in the local.conf:

Subnets are needed to specify network addresses on the networks. The internal and LAN networks have the same subnet addresses because the bump is invisible and the router needs to appear to be on the LAN network. Create these subnets and then associate them with the appropriate networks:

Create the network ports with security groups disabled; this is done so that the L2 VNF (which is invisible to the network), can receive packets that are not destined for it. The ports for the router will have specific IP addresses assigned, which are the gateways for the LAN and WAN networks:

These VMs should be added to the default security group, which has been modified to allow ping and SSH between VMs:

$ nova add-secgroup bump default
$ nova add-secgroup router default

Hey presto! It works?

After following the instructions, the network setup should look a little like Figure 2 when viewed in Horizon* (OpenStack Dashboard). LAN and WAN networks are connected to eth0 and eth1, respectively, through the provider networks and bridge mappings (not shown here).

**Figure 2**: _OpenStack Horizon network topology view_

&nsp;

Once this is set up, we must make sure it works. This can be done by assigning IP addresses to the `br-LAN` and `br-WAN` interfaces, and pinging from one to the other.

If all went well, then there is a response, and traffic flows through the network!

_This post first appeared on the [Intel Developer Zone blog](https://software.intel.com/en-us/blogs/2016/06/21/enabling-vcpe-with-openstack-create-networks). Superuser is always interested in community content, email: [email protected]_

User Resources

OpenStack Superuser is a publication built to chronicle the work of superusers, and their many accomplishments personally, professionally, and organizationally. The emphasis is on a blend of original journalism and user-generated content, ranging from technical to business-level issues with feature stories, case studies, tips and videos for OpenStack cloud architects and administrators.